They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address. This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know.

This is a good lesson for Tor users. Tor, itself, is not enough to keep your identity hidden. It "fails open", which means that if you make a mistake, you'll expose your IP address. If "they" are coming after you, you need to configure a "fail close" network setup, such as by using a second machine as a transparent Tor proxy, such that everything is forced through Tor no matter what you do, and if the Tor service fails, your network connectivity also fails (fail close). Update: Two commenters think I'm criticizing Tor. I'm not. It's like that fact that crypto isn't enough to keep your data private. The FBI cannot crack AES128, but if you've chosen a poor password, they can crack that. It's not AES128's fault you chose a bad password. It's likewise not Tor's fault you bypassed it in order to log onto IRC. It's just that you should be aware of the importance of choosing good passwords, and practicing good Tor hygiene.

Another lesson about the FBI is that this is how they always work. You don't expect arrests right away after a major hack. Instead, the FBI will plod along for a year infiltrating as much of the organization as they can, turning key members, gathering hard evidence, and THEN they swoop in and gather everyone up.

This is mostly because hard evidence of past crimes is hard to get. You need evidence of future crimes. Once you've infiltrated the organization and can monitor what they are doing in real time, you'll get evidence of the crimes as they are happening, evidence you couldn't get on their previous crimes.

And the evidence the FBI most wants is for things like "conspiracy" [most of those arrested today are indicted on conspiracy]. Proving you committed a crime is hard, proving you conspired to commit it (by monitoring IRC) is pretty easy. Unless they find the stolen credit card numbers on your laptop, they'll find it difficult convicting you of cybercrime. But they can convict you of conspiracy, intent, obstruction of of justice, racketeering, and so on. For example, the Palin hacker was convicted of only misdemeanor hacking, but felony obstruction of justice because he deleted evidence of the hack.

When your little group has done something really bad, and you realize you've gotten over your head and the the FBI is coming after you, you have the prisoner's dilemma to consider. The first one of you that cracks and helps the FBI track everyone else down will get the sweetheart deal, and everyone else will go to jail. I can't see myself doing this, but at the same time, I can't see myself getting involved in such cybercrime.

Anyway, this is just my notes page. As my stories appear on this subject, I'm going to keep updating this post.

It's not when Tor fails, it's when you fail. The way most people use Tor, if they make the slightest mistake, they reveal their identity. You should instead use Tor in such a manner that mistakes lead to loss of connectivity. A transparent proxy on a separate (or VM) machine does this.

Robert Graham -- Good points, fascinating article, thank you very much for posting it!

I don't know why the other commenters are giving you a hard time about your comments on Tor. Your analysis of the risks with Tor (and the strongest defenses) seem obviously, self-evidently true. Oh well.

True, I largely skimmed the middle bits of the Death and Taxes piece, but I carefully read the conclusion, which was wild eye ravings about how the FBI should arrest the white-collar criminals who crashed the economy, etc.

But you are right, the middle part wasn't the wild-eye conspiracy theories I got form skimming, but a debunking of those theories.